diff --git a/cloudwatch.tf b/cloudwatch.tf index 375ae7c..9eaec47 100644 --- a/cloudwatch.tf +++ b/cloudwatch.tf @@ -2,7 +2,7 @@ resource "aws_cloudwatch_log_group" "lambda_log" { name = "${var.log_group_prefix}${var.name}" #"/aws/lambda/${var.name}" retention_in_days = 365 - kms_key_id = aws_kms_key.encryption_rest.arn + kms_key_id = aws_kms_key.encryption.arn } # #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream diff --git a/iam_role.tf b/iam_role.tf index 83c1d5e..a047780 100644 --- a/iam_role.tf +++ b/iam_role.tf @@ -40,12 +40,20 @@ resource "aws_iam_policy" "lambda_policy" { ], Resource = [local.cloudwatch_log_group_arn] }, + { + Effect = "Allow" + Action = [ + "sqs:SendMessage", + "sqs:GetQueueAttributes" + ] + Resource = aws_sqs_queue.dlq.arn + }, { Effect = "Allow", Action = [ "kms:Decrypt" ] - Resource = [aws_kms_key.encryption_rest.arn] + Resource = [aws_kms_key.encryption.arn] } ] }) diff --git a/kms.tf b/kms.tf index 69003ad..f363873 100644 --- a/kms.tf +++ b/kms.tf @@ -1,50 +1,113 @@ #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key -resource "aws_kms_key" "encryption_rest" { +resource "aws_kms_key" "encryption" { enable_key_rotation = true - description = "Key to encrypt Amazon CloudWatch logs at rest." + description = "Key to encrypt all the cloud resources in ${var.name}." deletion_window_in_days = 7 - #checkov:skip=CKV2_AWS_64: KMS Key policy in a separate resource } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias -resource "aws_kms_alias" "encryption_rest" { - name = "alias/lambda-${var.name}-at-rest" - target_key_id = aws_kms_key.encryption_rest.key_id +resource "aws_kms_alias" "encryption" { + name = "alias/${var.name}" + target_key_id = aws_kms_key.encryption.key_id } -#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy -resource "aws_kms_key_policy" "encryption_rest_policy" { - key_id = aws_kms_key.encryption_rest.id - policy = jsonencode({ - Id = "encryption-rest" - Statement = [ - { - Action = "kms:*" - Effect = "Allow" - Principal = { - AWS = "${local.principal_root_arn}" - } - Resource = "*" - Sid = "Enable IAM User Permissions" - }, - { - Effect : "Allow", - Principal : { - Service : "${local.principal_logs_arn}" - }, - Action : [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ], - Resource : "*", - Condition : { - ArnEquals : { - "kms:EncryptionContext:aws:logs:arn" : [local.cloudwatch_log_group_arn] - } - } - } +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +data "aws_iam_policy_document" "encryption_policy" { + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:Create*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:TagResource", + "kms:UntagResource" + ] + resources = [aws_kms_key.encryption.arn] + } + statement { + sid = "Allow CloudWatch to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["logs.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant" + ] + resources = [aws_kms_key.encryption.arn] + condition { + test = "ArnEquals" + variable = "kms:EncryptionContext:aws:logs:arn" + values = [local.cloudwatch_log_group_arn] + } + } + statement { + sid = "Allow Lambda to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant" ] - Version = "2012-10-17" - }) + resources = [aws_kms_key.encryption.arn] + } + statement { + sid = "Allow SSM to use the key" + effect = "Allow" + principals { + type = "Service" + identifiers = ["ssm.amazonaws.com"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = [aws_kms_key.encryption.arn] + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = [data.aws_caller_identity.current.account_id] + } + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = ["ssm.${var.region}.amazonaws.com"] + } + } +} +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy +resource "aws_kms_key_policy" "encryption" { + key_id = aws_kms_key.encryption.id + policy = data.aws_iam_policy_document.encryption_policy.json } \ No newline at end of file diff --git a/lambda.tf b/lambda.tf index bc0f226..b7d40e7 100644 --- a/lambda.tf +++ b/lambda.tf @@ -12,7 +12,7 @@ resource "aws_lambda_function" "lambda_run" { role = aws_iam_role.lambda_role.arn handler = "handler.lambda_handler" runtime = "python3.8" - kms_key_arn = aws_kms_key.encryption_rest.arn + kms_key_arn = aws_kms_key.encryption.arn logging_config { log_format = "JSON" log_group = aws_cloudwatch_log_group.lambda_log.name @@ -25,11 +25,13 @@ resource "aws_lambda_function" "lambda_run" { log_stream_name = aws_cloudwatch_log_stream.log_stream.name } } + #https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq + dead_letter_config { + target_arn = aws_sqs_queue.dlq.arn + } + reserved_concurrent_executions = 5 #checkov:skip=CKV_AWS_50: Not applicable in this use case: X-Ray tracing is enabled for Lambda - #checkov:skip=CKV_AWS_115: Not applicable in this use case: Ensure that AWS Lambda function is configured for function-level concurrent execution limit #checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC - #checkov:skip=CKV_AWS_116: Not applicable in this use case - #checkov:skip=CKV_AWS_173: Not applicable in this use case #checkov:skip=CKV_AWS_272: Not applicable in this use case: Ensure AWS Lambda function is configured to validate code-signing } #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule diff --git a/sqs.tf b/sqs.tf new file mode 100644 index 0000000..9eb452e --- /dev/null +++ b/sqs.tf @@ -0,0 +1,6 @@ +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue +resource "aws_sqs_queue" "dlq" { + name = "${var.name}-lambda-dlq" + kms_master_key_id = aws_kms_key.encryption.arn + kms_data_key_reuse_period_seconds = 300 +} \ No newline at end of file diff --git a/ssm_parameter.tf b/ssm_parameter.tf index 870dbfa..4460a21 100644 --- a/ssm_parameter.tf +++ b/ssm_parameter.tf @@ -2,6 +2,6 @@ resource "aws_ssm_parameter" "parameter" { name = "/${var.name}" type = "SecureString" - key_id = aws_kms_key.encryption_rest.id + key_id = aws_kms_key.encryption.id value = "1234567890" } \ No newline at end of file